5614 Posted September 2, 2004 Posted September 2, 2004 Every time I load MSN messenger i get an error message from NIS [norton internet security] professional. i thought it might be random, might be chance, might be different people/machines, but it isnt, (screen shot below) because every time it happens it is coming from the same IP address, so it must be from the same machine. does anyone know who/what it is and how i could stop this?
Sayonara Posted September 2, 2004 Posted September 2, 2004 Perhaps the version of MSN you are using has a vulnerability which the machine at that IP is scanning for. Check if there is a messenger update available. ...unless of course it's the MSN server.
5614 Posted September 2, 2004 Author Posted September 2, 2004 i doubt MSN has a vulnerability because it is the latest one, and i dont know anyone else with this problem. (all my ports are stealthed anyway) if its the MSN server, then surely others would have the same thing? and they dont. is there a way of tracing it? or blocking that IP?
obduro Posted September 4, 2004 Posted September 4, 2004 No vuln or anything...I made a search for the IP and it seems like it does belong to Microsoft: Search results for: 64.4.12.201 OrgName: MS Hotmail OrgID: MSHOTM Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US NetRange: 64.4.0.0 - 64.4.63.255 CIDR: 64.4.0.0/18 NetName: HOTMAIL NetHandle: NET-64-4-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Assignment NameServer: NS1.HOTMAIL.COM NameServer: NS3.HOTMAIL.COM NameServer: NS2.HOTMAIL.COM NameServer: NS4.HOTMAIL.COM Comment: RegDate: 1999-11-24 Updated: 2003-06-27 TechHandle: MSFTP-ARIN TechName: MSFT-POC TechPhone: +1-425-882-8080 TechEmail: iprrms@microsoft.com OrgAbuseHandle: ABUSE231-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-425-882-8080 OrgAbuseEmail: abuse@microsoft.com OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: iprrms@microsoft.com # ARIN WHOIS database, last updated 2004-09-03 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. If contact information is out of date or incorrect, please contact hostmaster@arin.net. Include all relevant information in your e-mail and ARIN will investigate the matter. The traffic seems legit to me but if you are still concerned then capture all the packets from that addy and have a look at 'em.
5614 Posted September 4, 2004 Author Posted September 4, 2004 how did you search all of that info? im going to play with MSNs access rights to the internet, if this is just microsoft, then it should be fine to allow it to pass by me, what do you think? the alternative is to keep blocking it.
obduro Posted September 4, 2004 Posted September 4, 2004 how did you search all of that info? http://www.arin.net You could also try http://www.internic.net, look under registry whois.
5614 Posted September 4, 2004 Author Posted September 4, 2004 and: http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=81.86.208.88&Reset+Form=Reset+Form also does a similar thing, thanks very much
Dave Posted September 5, 2004 Posted September 5, 2004 im going to play with MSNs access rights to the internet, if this is just microsoft, then it should be fine to allow it to pass by me, what do you think? I'd trust Microsoft as far as I can throw them to be honest. If it works with that port being blocked, you may as well just keep it blocked.
obduro Posted September 5, 2004 Posted September 5, 2004 Ok. Out of curiosity I just dissected the "mysterious" packet. Tell me, do you use voice chat? The ip is apperantly that of a voice server. Not much interesting stuf in the packet, and yes it is safe to let it pass
5614 Posted September 5, 2004 Author Posted September 5, 2004 ok thanks, i dont use the audio feature because there is a compatability problem between MSN and my microphone, although the option is there. may i ask how you dissected this, the whois i knew about, just didnt have the website address, but ive seen them before, i have no idea how you learnt that, could you tell me please?
5614 Posted September 5, 2004 Author Posted September 5, 2004 ok, im guessing thats a program which "explores" packets, however as he doesnt have the package, i do, could he still have used one? any links, downloads, advice, names of them? please and thank you! [nice manners at least]
Dave Posted September 5, 2004 Posted September 5, 2004 I'm not sure of any packet sniffers' names, but I can tell you that a packet sniffer will effectively "sit over" a port, read the incoming packet, store it in some manner and then send it out again. It's useful to see what programs are outputting what information to the web.
5614 Posted September 5, 2004 Author Posted September 5, 2004 ok, then my guess of what they are is correct, it also means that he could not have used one, as i have the problem not him, he's not sitting at my ports sniffing packages... so the question must be asked again: how did you do it obduro?
Dave Posted September 5, 2004 Posted September 5, 2004 Well, he can emulate it using another copy of Messenger can't he?
5614 Posted September 5, 2004 Author Posted September 5, 2004 but nobody else i know has this problem, indeed ive never seen or heard of it anywhere.
obduro Posted September 7, 2004 Posted September 7, 2004 but nobody else i know has this problem, indeed ive never seen or heard of it anywhere. I wouldn't call it a problem, it's just a UDP packet sent out to any logging in user of MSN that most likely provides it with some "necessary" info. However, since they use a UDP packet then I don't belive it's that important. As dave said, I used my copy of MSN to get a hold of the packet, but to be honest I figured it has something to do with voice chat by looking at another packet from 64.4.12.200 which has a DNS name of e450.voice.microsoft.com...the packet preceeds the one you block (64.4.12.201 = echo-v2.msgr.hotmail.com)...I don't think you can gain much info out of either packet since what little they seem to carry seems encrypted (although it might just be a simple way of providing MSN client with info which so happens to be unreadable by anyone who does not know the source code of MSN. A rather common way of minimizing amount of traffic necessary.). As for the sniffer, I use Ethereal Also one site I can recommend is Security Focus
5614 Posted September 7, 2004 Author Posted September 7, 2004 ok, thanks, you seem to know a lot about this kinda stuff. do you happen to know how i can remotely access a friends computer [possibly via his IP] remembering that he will still have an active firewall?
obduro Posted September 7, 2004 Posted September 7, 2004 Ahhh the lure of "The dark side"... All I will tell you is that the easiest way is to find and exploit a weakness in his firewall. However, you will have to read quite a bit and hope your friend is using a standard out-of-the-box OS setup. No matter what kind of OS it is, if it's easy to get your hands on and is popular enough then you can be sure there are sites that list plenty of "0-day" exploites for it (same goes for any other software). One more thing, if he is just like the average computer user then chances are that he simply set firewall to "allow all" thus effectivly elliminating its purpose. To get the most out of your firewall, after installing it set it to "always ask". This way it will popup a warning whenever something tries to access the internet and gives you the option to block it. It might be annoying in the begining but with time you'll get used to it. After all, better safe then sorry.
5614 Posted September 8, 2004 Author Posted September 8, 2004 i've configured all my firewall to do it automatically, when there is not good auto figures then its set up to give me a pop-up. i find that norton is quite good for it. my friends are ok on computers, they will not allow me to do easy things coz they're firewall will stop it! can you point me in the right direction, like by giving me a site or sumin. they all use XP home and zone alarm. [some use zone alarm pro]
obduro Posted September 8, 2004 Posted September 8, 2004 I just reread my last post, as well as yours and remembered something... It's called Social Engineering and constitutes around 80-90 percent of the entire "professional hacking" process, because humans are usualy the weakest link. You could try that on your frinds to gain info of their system where after you could research it all on the net for a while. I'm sorry I wont be posting any links atm but I don't really have time right now. IYou can be sure however that I will provide you with some later on. For now security focus is the place to visit...go to their archives and look it trough.
5614 Posted September 8, 2004 Author Posted September 8, 2004 i think that i know all the info about his system which i need to know. OS, security, [he has SP2], IP address [traced through an email he sent me] what else do i need to know? i am interested in remote access, i can hack a computer when its in front of me, i've done it before. esp. windows XP home, i want remote access!? what can i do with an IP? the whois searches dont come up with much usefull stuff, i know that hackers can use IP address, but i cant see what they actually do with it?
Dave Posted September 8, 2004 Posted September 8, 2004 Mainly it's either password guessing or exploits - and ofc DDoS. Good luck trying to get around the firewall.
obduro Posted September 9, 2004 Posted September 9, 2004 Remote access? What you will need to do depends on what kind of remote access you want...is command line enough, or would you prefer a GUI? Do you only need to issue commands to his machine or would you prefer it to be like remote desktop? For some of the approches all the tools you need are already on your machine, for others you will have to either a) go Script Kiddy style (applies only when you don't spend time to learn how the tools do their job, after all not everyone is a programmer) and download some tools, or b) make them your self. I myself have a very limited experience from the practical side of "hacking" although I know the theory rather well. Currently I administer a small network (16 client machines, 1 admin machine and 2 servers), not much happening here so not much to learn (and I can't turn it into my sandbox). Personaly I would recommend you to make a small network (2-5 machines) of your own as that is the only place where it's not illegal to break into a system. You will learn alot more this way about how all of this stuff works. Later on you can decide if you want to use your skills to help others, harm others or go the middle way (Aristoteles style ). Mainly it's either password guessing or exploits - and ofc DDoS. Good luck trying to get around the firewall. Password guessing works only if you have some idea as to what the password might be, otherwise it's brute forcing and trust me, it's not that effective now a days You are correct with exploits. They are still one of the most widely used methodes of gaining access to another machine, they work mainly because a) people forget to patch their software and b) some software vendors are not that fast with fixing holes. DoS and DDoS are used mainly to (as their name applies) make a service unavailable to the legtimate traffic by filling the pipe with garbage packets sent from a single host (in the case of DoS) or multiple hosts (DDoS). This type of attack rarely results in buffer overflow which can in some cases grant unauthorized access to anyone. Most often it results in the OS either a) shutting down the targeted application or b) crashing itself. I still don't have any links for you 5614. Sorry.
5614 Posted September 9, 2004 Author Posted September 9, 2004 you mentioned going into script kiddy mode and downlaod some programs, the only problem is i dont know what programs to download, if i know a name i can probably find a site from it.... thanks for above post.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now